Identity Theft Red Flags Procedures

Document Sample
Identity Theft Red Flags Procedures Powered By Docstoc
					                             Identity Theft Red Flags Procedures
INTRODUCTION AND PURPOSE
DEFINITIONS
EXCEPTIONS
PENALTIES
RECORD RETENTION REQUIREMENTS
717.90 Duties Regarding the Detection,                             Yes/No   Comments
Prevention, and Mitigation of Identity Theft
1. Verify that the credit union periodically identifies covered
accounts it offers or maintains. Verify that the credit union:
• included accounts for personal, family, and household
purposes that permit multiple payments or transactions; and
• conducted a risk assessment to identify any other accounts
that pose a reasonably foreseeable risk of identity theft,
taking into consideration the methods used to open and
access accounts, and the institution’s previous experiences
with identity theft. (717.90(c))


2. Review examination findings in other areas (e.g. Bank
Secrecy Act, Customer Identification Program and Customer
Information Security Program) to determine whether there
are deficiencies that adversely affect the credit union’s
ability to comply with the Identity Theft Red Flags Rules
(Red Flag Rules).
3. Review any reports, such as audit reports and annual
reports prepared by staff for the board of directors (or an
appropriate committee thereof or a designated senior
management employee) on compliance with the Red Flag
Rules, including reports that address:
• the effectiveness of the credit union’s Identity Theft
Prevention Program (Program);
• significant incidents of identity theft and management’s
response;
• oversight of service providers that perform activities related
to covered accounts; and
• recommendations for material changes to the Program.

Determine whether management adequately addressed any
deficiencies. (717.90(f), Guidelines, Section VI(b))
4. (a)Verify that the credit union has developed and
implemented a comprehensive written Program, designed to
detect, prevent, and mitigate identity theft in connection with
the opening of a covered account or an existing covered
account. The Program must be appropriate to the size and
complexity of the credit union and the nature and scope of its
activities. (717.90(d)(1)).




                                                             1
                              Identity Theft Red Flags Procedures
   (b)Verify that the credit union considered the Guidelines
in Appendix J to the regulation (Interagency Guidelines on
Identity Theft Detection, Prevention, and Mitigation) in the
formulation of its Program and included those that are
appropriate. (717.90(f))
   (c)Determine whether the Program has reasonable
policies, procedures and controls to effectively identify and
detect relevant Red Flags and to respond appropriately to
prevent and mitigate identity theft. (717.90(d)(2)(i)-(iii))

    (d)Determine whether the credit union uses technology to
detect Red Flags. If it does, discuss with management the
methods by which the credit union confirms the technology
is working effectively.
    (e)Determine whether the Program (including the Red
Flags determined to be relevant) is updated periodically to
reflect changes in the risks to customers and the safety and
soundness of the credit union from identity theft.
(717.90(d)(2)(iv))
    (f)Verify that (i) the board of directors (or appropriate
committee thereof) initially approved the Program; and (ii)
the board (or an appropriate committee thereof, or a
designated senior management employee) is involved in the
oversight, development, implementation and administration
of the Program. (717.90(e)(1) and (2))
5. Verify that the credit union trains appropriate staff to
effectively implement and administer the Program.
(717.90(e)(3))
6. Determine whether the credit union exercises appropriate
and effective oversight of service providers that perform
activities related to covered accounts. (717.90(e)(4))

717.91 Duties of Card Issuers Regarding                            Yes/No   Comments
Changes of Address
1. Verify that the card issuer has policies and procedures to
assess the validity of a change of address if:
   • it receives notification of a change of address for a
member’s debit or credit card account; and
   • within a short period of time afterwards (during at least
the first 30 days after it receives such notification), the card
issuer receives a request for an additional or replacement
card for the same account. (717.91(c))




                                                               2
                             Identity Theft Red Flags Procedures
2. Determine whether the policies and procedures prevent
the card issuer from issuing additional or replacement cards
until it:
   • notifies the cardholder at the cardholder’s former address
or by any other means previously agreed to and provides the
cardholder a reasonable means to promptly report an
incorrect address (717.91(c)(1)(i)-(ii)); or
   • uses other reasonable means of evaluating the validity of
the address change; (717.91(c)(2))

In the alternative, a card issuer may validate a change of
address request when it is received, using the above
methods, prior to receiving any request for an additional or
replacement card. (717.91(d))
3. Determine whether any written or electronic notice sent to
cardholders for purposes of validating a change of address
request is clear and conspicuous and is provided separately
from any regular correspondence with the cardholder.
(717.91(e))
4. If procedural weaknesses or other risks requiring further
information are noted, obtain a sample of notifications from
cardholders of changes of address and requests for additional
or replacement cards to determine whether the card issuer
complied with the regulatory requirement to evaluate the
validity of the notice of address change before issuing
additional or replacement cards.




                                                            3